And without a doubt, no one will be happier than the National Security Agency (NSA) and law enforcement. While Google's cloud computing has provided a platform for the company to grab a big chunk of the low-cost notebook market and upend Microsoft's Windows applecart, the recent NSA leaks by Edward Snowden have put the cloud under... a cloud.

There are some places where this isn't going to necessarily have much impact on Google's market ascension. Google has steamrollered the education market with Google Apps, and the low-cost Chromebook is a natural fit for the classroom. My middle-school-aged daughter now is required to have a Google account for school so she can be linked into her teacher's shared documents; the Chromebook's connection to Google credentials means that she can share a device with classmates, and the school doesn't need IT support to provision accounts on them.

The Chromebook is also an interesting development platform in many ways—the recent functional additions to the Google Apps platform have made it more developer friendly, and collaborative applications live much more happily in a cloud-connected environment than they do in synchronized caches on devices scattered from here to hell and back.

And Chromebooks are designed to allow users to create a lot more information on the device than they might on a tablet. I've been testing a Chromebook Pixel since June's Google I/O event, and the top-end Chromebook has its charms (though its $1,400 price tag is not among them). The Pixel's big and bright touchscreen, built-in 4G wireless, and long battery life make it a somewhat reasonable alternative to tablets for applications heavy on data entry from a keyboard. The new Haswell systems will undoubtedly take many of those advantages and run with them.

But Haswell won't mitigate paranoia over cloud security and compliance, of course. Google has taken many steps forward in easing businesses' concerns over the security of Google Apps over the past few years. But the revelations about the NSA and FBI's PRISM program have added new doubts, particularly outside the US, about the wisdom of putting everything in Google's (or any other cloud provider's) basket.

Furthermore, the Chromebook is everything a government watchman could want—even without Google Apps data and Gmail, it could give those with network monitoring capabilities a way to pinpoint the location of a credential-holder via 4G wireless (thanks, Verizon).

If recent revelations from Brazil are correct, Chromebook plus a government-forged Google certificate equals a man-in-the-middle attack against the SSL security of Google's services—and a way for the government to read all of your e-mails and documents as they pass back and forth through an Internet chokepoint to and from your browser.

None of this is necessarily Google's fault. But it's a weakness of the browser as platform—by pushing nearly all the computing resources for applications, besides presentation, back up into the cloud, the Chromebook model creates a one-stop shop for attackers or observers to inject themselves into your computing world. As the Syrian Electronic Army has proven, it doesn't take the power of the NSA to breach a cloud-based infrastructure—just one bad click on a link and users can give over the keys to their entire digital lives.

Google has addressed some of the security issues around the Chromebook and Google Apps model with its two-factor authentication. But until Google can protect its users' data (physically and legally) at the same level that users can protect themselves by keeping their data encrypted in their own offices and homes, the Chromebook is going to be very popular at Fort Meade—not as something they use, but as something they hope everyone else uses. I don't worry about the NSA reading my daughter's homework (that much), but I've grown increasingly wary about whether they're checking what comes into my work mailbox.

Update: Last night, I received a terse email from a Google representative: "Would be nice if you could give Google an opportunity to respond before making broad allegations. Chromebook is the safest computer one can buy. Security overview here, and earlier this year in a hacking competition no researcher was able to get a full exploit against Chrome OS."

As far as endpoints go, I'd agree that the Chromebook is far less insecure than many other platforms; but the point I'm trying to make has nothing to do with the Chromebook's local security and everything to do with the already well-demonstrated issues around cloud privacy. I could have just as well written an article entitled "Why the NSA loves (fill in name of public cloud service here)," but Chromebook is unique in its tethering to a single set of cloud services over web protocols. When used with the best practices for web security, the Chromebook is secure against most direct attacks on the local hardware and the Chrome browser, but its dependence on a web-based backend where US courts have already ruled there's less of an expectation of privacy is something no amount of end-point security is going to fix.

134 Reader Comments

Sacrifice of privacy already should have been a known factor when you put something in the cloud. Maybe the more interesting angle is that there are people out there who thought no one could read what you put in the cloud or sent in unencrypted email? If so, they were truly naive.

If it's not encrypted and decrypted by a key known solely by you, it's not secure and never has been, Snowden or no. Snowden has just confirmed what everyone should have known was possible already.

See, I'm very worried about someone reading my child's homework, or other things attached to that account. I'm worried about some arbitrary trigger (be it drug reference, pen pal in the middle east, or whatever) that causes a closer look by authorities. We know the NSA shares data with other law enforcement agencies, how do we know what they are looking for? I'd rather not get caught up in some over zealous bureaucrat's promotion building case because my kid is talking about an underage kids selfie

I'm not sure I understand why you should pick on Chromebook. Android is a full OS sponsored by Google, and the intent there is that everything is stored in the cloud too. What is the difference between Chromebook and an Android smartphone?

You make the statement "And Chromebooks are designed to receive a lot more information from the user than a tablet might" but you don't back it up. What does a Chromebook "receive" from you that is more or less than a phone or tablet would?

Is it just the fact there's a keyboard attached, and therefore more likely to be used for content creation?

This reads as a grasp at straws. "A Chromebook was used in a security breach! Clearly this means the platform is hopelessly flawed and handing over all your information to the NSA because reasons." I have a Chromebook, and I don't have much of anything in the cloud to go with it. It's used for web browsing, which would have the exact same problem were I using Chrome or IE or Firefox as it has in ChromeOS. Most of my stuff on it is stored locally. There it has the same flaws that it has if stored locally on Windows, OSX, Linux, Solaris, etc. So I'm not entirely sure what Chromebooks are doing to get this arbitrary call out.

Also, one machine being used as part of a hacking scheme doesn't really say much about the platform. It certainly doesn't invite the sudden jump from "guy in Brazil did something" to "NSA is going to do this to all things you do on a Chromebook."

[EDIT] The following is incorrect. Google's standard age requirements may not apply to education domains for various reasons. It's not listed, so I'm assuming the requirement is more case by case than a standard. The incorrect chunk of comment has been kept for posterity purposes. [/EDIT]

Quote:

My middle-school-aged daughter now is required to have a Google account for school so she can be linked into her teacher's shared documents;

Side note, how old is your kid? The school may be forcing you to violate Google's terms simply by requiring a 12 year old or younger to have a Google account. That's kind of a big no no.

I'm not sure I understand why you should pick on Chromebook. Android is a full OS sponsored by Google, and the intent there is that everything is stored in the cloud too. What is the difference between Chromebook and an Android smartphone?

You make the statement "And Chromebooks are designed to receive a lot more information from the user than a tablet might" but you don't back it up. What does a Chromebook "receive" from you that is more or less than a phone or tablet would?

Is it just the fact there's a keyboard attached, and therefore more likely to be used for content creation?

It's likely a matter of marking on Google's part. Chromebooks are heavily reliant on cloud storage and data and are marketed as such: " Best of Google: Create and share documents with Google Drive. Enjoy your favorite songs and movies with Google Play." Even on your phone, you could store your notes locally and your movies and music locally but you're not supposed to on your Chromebook.

Is anything here actually unique to chromebooks? As I understand it, backwards compatible email is basically impossible to make secure no matter what. Unless both parties are encrypting the text themselves, any email traveling over the internet is vulnerable assuming NSA can MITM SSL (and mostly, email is just generally insecure). The same is true for all other data that is on the network at any point. Chromebooks may send the data back and forth a bit more often, but with the new capabilities google is trying to add to chrome apps that isn't technically necessary anymore either.

On the other hand, everything stored locally on chromebooks is encrypted decently well by default, and security updates are applied automatically.

If we assume all common security on the internet is broken, then we're all pretty much screwed now no matter what. If it is at all possible to still have secure connections this seems like 6 of one, half a dozen of the other. Anything that stores data with google is subject to third party doctrine searches, but I can use a chromebook reasonably well without relying on any more google services than I do on a Windows, Linux or OSX computer.

I'm not sure I understand why you should pick on Chromebook. Android is a full OS sponsored by Google, and the intent there is that everything is stored in the cloud too. What is the difference between Chromebook and an Android smartphone?

You make the statement "And Chromebooks are designed to receive a lot more information from the user than a tablet might" but you don't back it up. What does a Chromebook "receive" from you that is more or less than a phone or tablet would?

Is it just the fact there's a keyboard attached, and therefore more likely to be used for content creation?

I don't really detect an bad bias against the chromebook here since there is a disclaimer that it isn't Google's fault, but IIRC, Win8 now offers a lot with the cloud. So does icloud. And unlike Android, it backs up all your SMS.

But just to refresh my memory, is anything stored locally on a Chromebook?

The idea of a cloud-tethered notebook that can keep its owner connected over Wi-Fi and broadband all day long—in some cases for less than the price of a shiny new Apple iPhone—is going to be awfully appealing to many.

One could argue that using the wireless capabilities of the Nexus to overcome it's limited storage falls under the same umbrella.*

I have a Google Nexus - a sweet smartphone if there ever was one, but I always think twice about any data I might store in their cloud. I can't back up my address book anywhere else, so I do use one of two gmail accounts to do so. Any Google-branded application is avoided. I don't use Notes, and the Gmail app was deleted along with Google Reader, etc.

I know, I know, "paranoia will destroy ya." That's not it. It's that my faith in a company I once believed in is betraying everyone that does business with them. Shame on Google.

But just to refresh my memory, is anything stored locally on a Chromebook?

On my Chromebook? Documents, pictures, movies, music, scripts, etc. Literally everything I use that isn't a website(can't really store Reddit locally) is on my Chromebook. They make it easy to use Drive if you want, but it is far from required in any way.

But just to refresh my memory, is anything stored locally on a Chromebook?

On my Chromebook? Documents, pictures, movies, music, scripts, etc. Literally everything I use that isn't a website(can't really store Reddit locally) is on my Chromebook. They make it easy to use Drive if you want, but it is far from required in any way.

I have a Google Nexus - a sweet smartphone if there ever was one, but I always think twice about any data I might store in their cloud. I can't back up my address book anywhere else, so I do use one of two gmail accounts to do so. Any Google-branded application is avoided. I don't use Notes, and the Gmail app was deleted along with Google Reader, etc.

I know, I know, "paranoia will destroy ya." That's not it. It's that my faith in a company I once believed in is betraying everyone that does business with them. Shame on Google.

FYI, if you're technically minded you can set up a personal server with OwnCloud. That allows you to store your contact info (and lots of other stuff, but I only use it for contact) on a server you control. With a internet accessible address, it can replace your usage of Google contacts entirely.

I first started using it because I needed to store and access a large number of people's contact information for an organization, and didn't have their explicit permission to tell Google all I knew about them. I felt safer doing it this way, but I get all the benefits of having their info in my phone.

what happened to pen and paper? I might be wrong, but I do not see the need for computers in schools, except computer education (obviously). This is so much money, which would be way better spent on teachers. . .

The cost of digital textbooks and laptops/ereaders/tablets/whatever to go with them is significantly lower than the cost of physical textbooks. This allows more money to be better spent on teachers.

But it's a weakness of the browser as platform—by pushing nearly all the computing resources for applications, beside presentation, back up into the cloud, the Chromebook model creates a one-stop shop for attackers or observers to inject themselves into your computing world.

Hasn't this been painfully obvious since day one? What is it going to take to dial back all the Cloud-obsession that everyone rushes into like junkies to a fix?

I'm not sure I understand why you should pick on Chromebook. Android is a full OS sponsored by Google, and the intent there is that everything is stored in the cloud too. What is the difference between Chromebook and an Android smartphone?

It's likely a matter of marking on Google's part. Chromebooks are heavily reliant on cloud storage and data and are marketed as such: " Best of Google: Create and share documents with Google Drive. Enjoy your favorite songs and movies with Google Play." Even on your phone, you could store your notes locally and your movies and music locally but you're not supposed to on your Chromebook.

I could see that, I guess (I don't pay much attention to marketing). Their intent for phones and tablets is obvious by the design of the Nexus devices (no micro-SD slot). They intend that the phone's storage be supplemented (and essentially mirrored) by the cloud. If anything, it doesn't need to be marketed because they've made it such a core part of the experience. The first thing you do after loading a Cyanogenmod phone ROM is load up gapps (google apps). It's not really the same without it.

Sacrifice of privacy already should have been a known factor when you put something in the cloud. Maybe the more interesting angle is that there are people out there who thought no one could read what you put in the cloud or sent in unencrypted email? If so, they were truly naive.

If it's not encrypted and decrypted by a key known solely by you, it's not secure and never has been, Snowden or no. Snowden has just confirmed what everyone should have known was possible already.

Not really. If I invite you over for dinner, I don't expect to find you searching my desk drawers, despite the fact that I knew you coud. And as a law abiding, tax paying American citizen who is not under investigation for anything, I don't expect my government to be surveilling me, despite my knowledge that it's technically possible.

Regardless of what the law allows, IMO the US government's conduct is dishonorable, just like yours would be if you were searching private areas of my home during a dinner party.

I don't think it's the technical possibilities provided by unencrypted data that are offending people worldwide - I think it's the fact that we thought our constitution protected us against our government abusing our rights, despite their ability to do so. I've been a proud, patriotic American for 58 years, and I'm totally disgusted with our government in ways that even George Bush couldn't inspire. At least we exptected it of Nixon.

Sacrifice of privacy already should have been a known factor when you put something in the cloud. Maybe the more interesting angle is that there are people out there who thought no one could read what you put in the cloud or sent in unencrypted email? If so, they were truly naive.

If it's not encrypted and decrypted by a key known solely by you, it's not secure and never has been, Snowden or no. Snowden has just confirmed what everyone should have known was possible already.

Not really. If I invite you over for dinner, I don't expect to find you searching my desk drawers, despite the fact that I knew you coud. And as a law abiding, tax paying American citizen who is not under investigation for anything, I don't expect my government to be surveilling me, despite my knowledge that it's technically possible.

Regardless of what the law allows, IMO the US government's conduct is dishonorable, just like yours would be if you were searching private areas of my home during a dinner party.

I don't think it's the technical possibilities provided by unencrypted data that are offending people worldwide - I think it's the fact that we thought our constitution protected us against our government abusing our rights, despite their ability to do so. I've been a proud, patriotic American for 58 years, and I'm totally disgusted with our government in ways that even George Bush couldn't inspire. At least we exptected it of Nixon.

This is a trollbaitish sorta article. Really, what do you create that doesn't flow though multiple servers? If it's not in the cloud, its being emailed. If not emailed, its posted to a ftp site. Hard to argue that chrome OS is less secure in this regard. Anyway, I only see one company that is persistently pushing back on the NSA, and that's Google. Microsoft is a close second and Apple seems MIA on the issue.

Side note, how old is your kid? The school may be forcing you to violate Google's terms simply by requiring a 12 year old or younger to have a Google account. That's kind of a big no no.

I'm no fan of google anything, but at least do a LITTLE research and show some basic reading comprehension here: Google Apps for Education is FERPA compatible, and specifically FOR children in school, as well as college students.

"... My middle-school-aged daughter now is required to have a Google account for school so she can be linked into her teacher's shared documents; the Chromebook's connection to Google credentials means that she can share a device with classmates and the school doesn't need IT support to provision accounts on them. ..."

I'm going to assume we're talking 'public schools' here.

You know why your underage daughter is required to have an account with a private corporation so she can get an education at a public school that no longer has the funds to employ people who could maintain a proper computing infrastructure that would protect your daughter's privacy???

Because all the goddamn tax money went to that cancer "Homeland Security" so a bunch of paranoid, power-greedy bureaucrats can get their freak on and put the entire populace under preemptive surveillance.

"May I present the latest addition to our arsenal in the 'War Against Terror': KIDINT."

Sacrifice of privacy already should have been a known factor when you put something in the cloud. Maybe the more interesting angle is that there are people out there who thought no one could read what you put in the cloud or sent in unencrypted email? If so, they were truly naive.

Not really. If I invite you over for dinner, I don't expect to find you searching my desk drawers, despite the fact that I knew you could. And as a law abiding, tax paying American citizen who is not under investigation for anything, I don't expect my government to be surveilling me, despite my knowledge that it's technically possible.

I agree with your sentiments, but you didn't really address my point. You know when you invite strangers over that then can violate your privacy. You have the right to be shocked if they do (as you are shocked by the NSAs actions). However, if you thought that leaving your tax returns and social security card out while inviting people over is secure, you are wrong, and you are completely relying on the goodness of the people.

In this case, the "people" you are inviting to dinner are large corporations interested in milking your information for advertisement improvement. If you're inviting them to dinner, why are you leaving everything out on the table?

Side note, how old is your kid? The school may be forcing you to violate Google's terms simply by requiring a 12 year old or younger to have a Google account. That's kind of a big no no.

I'm no fan of google anything, but at least do a LITTLE research and show some basic reading comprehension here: Google Apps for Education is FERPA compatible, and specifically FOR children in school, as well as college students.

TIL that Google has separate rules from their standard "every account must adhere to this because we are legally obligated to set this minimum bar" rule set for education apps accounts. Thanks for informing me of that. I'll add a strike through edit to my comment to show that it is incorrect.

Please note in the future that not everyone is trying to kill your puppy with a comment and as a result you do not need to be a complete twat with regards to how you correct them.

I have a Google Nexus - a sweet smartphone if there ever was one, but I always think twice about any data I might store in their cloud. I can't back up my address book anywhere else, so I do use one of two gmail accounts to do so. Any Google-branded application is avoided. I don't use Notes, and the Gmail app was deleted along with Google Reader, etc.

I know, I know, "paranoia will destroy ya." That's not it. It's that my faith in a company I once believed in is betraying everyone that does business with them. Shame on Google.

FYI, if you're technically minded you can set up a personal server with OwnCloud. That allows you to store your contact info (and lots of other stuff, but I only use it for contact) on a server you control. With a internet accessible address, it can replace your usage of Google contacts entirely.

I first started using it because I needed to store and access a large number of people's contact information for an organization, and didn't have their explicit permission to tell Google all I knew about them. I felt safer doing it this way, but I get all the benefits of having their info in my phone.

Side note, how old is your kid? The school may be forcing you to violate Google's terms simply by requiring a 12 year old or younger to have a Google account. That's kind of a big no no.

I'm no fan of google anything, but at least do a LITTLE research and show some basic reading comprehension here: Google Apps for Education is FERPA compatible, and specifically FOR children in school, as well as college students.

TIL that Google has separate rules from their standard "every account must adhere to this because we are legally obligated to set this minimum bar" rule set for education apps accounts. Thanks for informing me of that. I'll add a strike through edit to my comment to show that it is incorrect.

Please note in the future that not everyone is trying to kill your puppy with a comment and as a result you do not need to be a complete twat with regards to how you correct them.

Not a twat. Just a teacher. Basic reading comprehension is too important to not call out.

FYI, if you're technically minded you can set up a personal server with OwnCloud. That allows you to store your contact info (and lots of other stuff, but I only use it for contact) on a server you control. With a internet accessible address, it can replace your usage of Google contacts entirely.

I first started using it because I needed to store and access a large number of people's contact information for an organization, and didn't have their explicit permission to tell Google all I knew about them. I felt safer doing it this way, but I get all the benefits of having their info in my phone.

I'm sure LDAP is awesome, and maybe I'll look into it one day. Thanks for the pointer. However, 'apt-get install owncloud' works great, while 'apt-get install ldap' doesn't do anything. I'm not that technically minded, I guess

Please note in the future that not everyone is trying to kill your puppy with a comment and as a result you do not need to be a complete twat with regards to how you correct them.

Not a twat. Just a teacher. Basic reading comprehension is too important to not call out.

The issue is not with what you called out. It is with how you called it out. That was explicitly stated. Seems odd someone who is busting chops on reading comprehension is failing to comprehend what they are reading, but whatever. Good day to you.

Please note in the future that not everyone is trying to kill your puppy with a comment and as a result you do not need to be a complete twat with regards to how you correct them.

Not a twat. Just a teacher. Basic reading comprehension is too important to not call out.

The issue is not with what you called out. It is with how you called it out. That was explicitly stated. Seems odd someone who is busting chops on reading comprehension is failing to comprehend what they are reading, but whatever. Good day to you.

What was wrong with the how? I looked at it, and saw nothing wrong. I spoke to you the same way I speak to my best friends.

My apologies if I pushed a button, but as I said, this is how I behave with my best friends, and personally, I feel that's a compliment to anyone.

The INS and FBI have files on me that include full finger / palm prints, chest X-rays, blood test results and all manner of other things. Back in the UK my prints are held on file and linked to my passport etc. My security clearance back in the 1980's caused a whole other file to be opened on me (MI5 I think).

I presume that the IRS have a file on me as does the TSA from my many travels around the world.

I also have prints on file in Holland (I was a resident there for three years), Singapore (2yrs) and I got 'detained' and processed in New Zealand after a passport mix-up, so I guess my prints are held there too.

Every ten years I need to renew my greencard, so my file is opened up and re-checked by the INS, FBI and Homeland Security too.

Given the level of NSA snooping on non citizens like me, I would expect that the couple of gigs I have on google drive, the 1.4GB of e-mail on gmail, the 4GB on iCloud and the stuff stored on various other cloud services probably gives them quite a lot of extremely dull data on me including location (photos on iCloud/Dropbox), correspondence (email) and my resume (g:drive).

It is not just google services, which are pervasive in my household, but all cloud services that contain any data that may have dual use (photos that are geotagged).

The problem with Google is the same as the problem with every other big data mining operation that is predicated on sniffing out as much info on users as possible. That problem is being a big, fat, simple target that can easily be accessed by a rubber stamp "warrant", apparently by an unknown number of public and private employees and contractors.This makes massive, politically motivated witch hunts easy compared to the task of gaining access to millions of individual devices. Google is bad, all data mining operations are also bad.

Most operating systems are not that secure "out the box". There are many add-ons in the Google App store which will enhance the privacy of the stock Chrome OS, like SyncDocs which encrypts Google Drive and SecureGMail which encrypts Gmail.

However, none of this protects against backdoors in the OS, plus even using encryption will make you a target for the NSA, as you are flagged as "having something to hide".